Hi, In book Agile Web Development With Rails, in section "Would the Last Admin to Leave" raises a interesting issue which I am facing in the real world at the moment. The books states: The delete function (Admin) does raise one interesting issue, though. We don''t want to delete all the administrative users from our system (because if we did we wouldn''t be able to get back in without hacking the database). I recently faced a similar situation at work. A software company built us (I am the customer) a custom build content management system. The testing company (We hired a third party testing company to do the testing) found out that All Admin users can be deleted from system resulting a non-functional system . The testing company thinks this is unacceptable. However the software companies argue that nothing is hard coded, so the "last admin can leave". Code in The book Agile Web Development With Rails is implenmented with a hardcoded checking. My question: Who is right the software company or the testing company? what is the best practices for this situation, does anybody face the same problem, how did you solve it, where can I find more on this topic? Many Thanks Ming
I would say it is up to you, the customer. If you don''t want to run into the issue, tell the software company to hardcode it. If you like it being fully dynamic, make sure you train your admins. On 9/15/05, Ming Ma <mingworld-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Hi, > > In book Agile Web Development With Rails, in section "Would the Last > Admin to Leave" raises a interesting issue which I am facing in the > real world at the moment. > > The books states: > The delete function (Admin) does raise one interesting issue, though. We > don''t > want to delete all the administrative users from our system (because if we > did we wouldn''t be able to get back in without hacking the database). > > I recently faced a similar situation at work. A software company built > us (I am the customer) a custom build content management system. The > testing company (We hired a third party testing company to do the > testing) found out that All Admin users can be deleted from system > resulting a non-functional system . The testing company thinks this is > unacceptable. However the software companies argue that nothing is > hard coded, so the "last admin can leave". > > Code in The book Agile Web Development With Rails is implenmented with > a hardcoded checking. My question: Who is right the software company > or the testing company? what is the best practices for this situation, > does anybody face the same problem, how did you solve it, where can I > find more on this topic? > > Many Thanks > > Ming > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
I would set admin levels, like old irc chanserv. On 9/15/05, Matt Pantana <matt.pantana-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > I would say it is up to you, the customer. If you don''t want to run into > the issue, tell the software company to hardcode it. If you like it being > fully dynamic, make sure you train your admins. > > On 9/15/05, Ming Ma <mingworld-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > Hi, > > > > In book Agile Web Development With Rails, in section "Would the Last > > Admin to Leave" raises a interesting issue which I am facing in the > > real world at the moment. > > > > The books states: > > The delete function (Admin) does raise one interesting issue, though. We > > don''t > > want to delete all the administrative users from our system (because if > > we > > did we wouldn''t be able to get back in without hacking the database). > > > > I recently faced a similar situation at work. A software company built > > us (I am the customer) a custom build content management system. The > > testing company (We hired a third party testing company to do the > > testing) found out that All Admin users can be deleted from system > > resulting a non-functional system . The testing company thinks this is > > unacceptable. However the software companies argue that nothing is > > hard coded, so the "last admin can leave". > > > > Code in The book Agile Web Development With Rails is implenmented with > > a hardcoded checking. My question: Who is right the software company > > or the testing company? what is the best practices for this situation, > > does anybody face the same problem, how did you solve it, where can I > > find more on this topic? > > > > Many Thanks > > > > Ming > > _______________________________________________ > > Rails mailing list > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > > http://lists.rubyonrails.org/mailman/listinfo/rails > > > > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails > > >-- Wagner Narde wnarde-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Ming Ma <mingworld-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:> Code in The book Agile Web Development With Rails is implenmented with > a hardcoded checking. My question: Who is right the software company > or the testing company? what is the best practices for this situation, > does anybody face the same problem, how did you solve it, where can I > find more on this topic?I''ll chime in and say you shouldn''t allow the last admin to leave. It''s a fairly simple check in the model and no cost in the controller. class Admin < ActiveRecord::Base blah blah blah... before_destroy :check_for_last_admin def check_for_last_admin if Admin.find(:all).length == 1 errors.add_to_base("Can''t delete the last admin") return false end end end I''m sure there''s a more efficient way to count the number of admins with find_by_sql; but I don''t think the price for this operation is too high for an admin.destroy. How often are you going to be destroying admins? -- Doug Alcorn - http://lathi.net/RubyOnRailsDeveloper doug-jGAhs73c5XxeoWH0uzbU5w@public.gmane.org
Sorry I don''t understand your point. On 9/15/05, Wagner Narde <wnarde-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I would set admin levels, like old irc chanserv. > > > On 9/15/05, Matt Pantana <matt.pantana-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > I would say it is up to you, the customer. If you don''t want to run into > the issue, tell the software company to hardcode it. If you like it being > fully dynamic, make sure you train your admins. > > > > > > > > On 9/15/05, Ming Ma <mingworld-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > Hi, > > > > > > In book Agile Web Development With Rails, in section "Would the Last > > > Admin to Leave" raises a interesting issue which I am facing in the > > > real world at the moment. > > > > > > The books states: > > > The delete function (Admin) does raise one interesting issue, though. We > don''t > > > want to delete all the administrative users from our system (because if > we > > > did we wouldn''t be able to get back in without hacking the database). > > > > > > I recently faced a similar situation at work. A software company built > > > us (I am the customer) a custom build content management system. The > > > testing company (We hired a third party testing company to do the > > > testing) found out that All Admin users can be deleted from system > > > resulting a non-functional system . The testing company thinks this is > > > unacceptable. However the software companies argue that nothing is > > > hard coded, so the "last admin can leave". > > > > > > Code in The book Agile Web Development With Rails is implenmented with > > > a hardcoded checking. My question: Who is right the software company > > > or the testing company? what is the best practices for this situation, > > > does anybody face the same problem, how did you solve it, where can I > > > find more on this topic? > > > > > > Many Thanks > > > > > > Ming > > > _______________________________________________ > > > Rails mailing list > > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > > > http://lists.rubyonrails.org/mailman/listinfo/rails > > > > > > > > > _______________________________________________ > > Rails mailing list > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > > http://lists.rubyonrails.org/mailman/listinfo/rails > > > > > > > > > > -- > Wagner Narde > wnarde-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails > > >
Sorry it''s asp.net app. I will try to introduce rails to my place :) I see your point. Thanks. Ming On 9/16/05, Doug Alcorn <doug-jGAhs73c5XxeoWH0uzbU5w@public.gmane.org> wrote:> Ming Ma <mingworld-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes: > > > Code in The book Agile Web Development With Rails is implenmented with > > a hardcoded checking. My question: Who is right the software company > > or the testing company? what is the best practices for this situation, > > does anybody face the same problem, how did you solve it, where can I > > find more on this topic? > > I''ll chime in and say you shouldn''t allow the last admin to leave. > It''s a fairly simple check in the model and no cost in the controller. > > class Admin < ActiveRecord::Base > > blah blah blah... > > before_destroy :check_for_last_admin > def check_for_last_admin > if Admin.find(:all).length == 1 > errors.add_to_base("Can''t delete the last admin") > return false > end > end > end > > I''m sure there''s a more efficient way to count the number of admins > with find_by_sql; but I don''t think the price for this operation is > too high for an admin.destroy. How often are you going to be > destroying admins? > -- > Doug Alcorn - http://lathi.net/RubyOnRailsDeveloper > doug-jGAhs73c5XxeoWH0uzbU5w@public.gmane.org > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
My app checks on login for users in the db. If there are no users, it creates one called "admin" with the password "admin". I still protect ''admin'' from being deleted from the database, but users could be dropped by something else (maybe even a bug I didn''t catch). That''s just my approach. -----Original Message----- From: rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org [mailto:rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org] On Behalf Of Ming Ma Sent: Thursday, September 15, 2005 8:44 AM To: rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org Subject: [Rails] Rails Book - Would the Last Admin to Leave Hi, In book Agile Web Development With Rails, in section "Would the Last Admin to Leave" raises a interesting issue which I am facing in the real world at the moment. The books states: The delete function (Admin) does raise one interesting issue, though. We don''t want to delete all the administrative users from our system (because if we did we wouldn''t be able to get back in without hacking the database). I recently faced a similar situation at work. A software company built us (I am the customer) a custom build content management system. The testing company (We hired a third party testing company to do the testing) found out that All Admin users can be deleted from system resulting a non-functional system . The testing company thinks this is unacceptable. However the software companies argue that nothing is hard coded, so the "last admin can leave". Code in The book Agile Web Development With Rails is implenmented with a hardcoded checking. My question: Who is right the software company or the testing company? what is the best practices for this situation, does anybody face the same problem, how did you solve it, where can I find more on this topic? Many Thanks Ming _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Another way is to prevent admins from being able to delete themselves (which probably makes sense for other reasons, too). In this case, assuming admins are the only ones who can delete users, there should always be an admin user in the system. Jen
On Sep 15, 2005, at 9:03 AM, Doug Alcorn wrote: <snip>> if Admin.find(:all).length == 1<snip>> > I''m sure there''s a more efficient way to count the number of admins > with find_by_sql; but I don''t think the price for this operation is > too high for an admin.destroy. How often are you going to be > destroying admins? >Admin.count should do the trick. It does a SELECT COUNT(*) instead of SELECT *. http://api.rubyonrails.org/classes/ActiveRecord/Base.html#M000683
jennyw wrote:> Another way is to prevent admins from being able to delete themselves > (which probably makes sense for other reasons, too). In this case, > assuming admins are the only ones who can delete users, there should > always be an admin user in the system.That would be my choice. If I remember right, the approach used in the book changed between successive drafts. regards Justin
On Sep 15, 2005, at 12:03 PM, Justin Forder wrote:> That would be my choice. If I remember right, the approach used in > the book changed between successive drafts.There''s a race condition if you use count(*), and I didn''t want to get into the whole transaction thing at that point, so I simply made it check for a known user id. Not being able to delete yourself also has a race condition, if two admins delete each other at the same time. Cheers Dave
Dave Thomas wrote:> > On Sep 15, 2005, at 12:03 PM, Justin Forder wrote: > >> That would be my choice. If I remember right, the approach used in >> the book changed between successive drafts. > > > There''s a race condition if you use count(*), and I didn''t want to get > into the whole transaction thing at that point, so I simply made it > check for a known user id. > > Not being able to delete yourself also has a race condition, if two > admins delete each other at the same time.Good point, and using a transaction wouldn''t help there (the race is within the two administrators'' sessions). Justin P.S. I saw in DHH''s interview that you are going to a third printing - how many copies have been sold now?